How to capture and decode HTTP/2 traffic with Wireshark

Last JavaOne I attended ‘HTTP 2.0 – What do I need to know?’, an excellent talk by Hadi Hariri. Many of the solutions of HTTP/2 are solutions to problems I face daily. Since I’m a curious guy I wanted to know what was happening at packet level in this awesomeness. Soon I faced SSL-decoded-packet-problems (in practice all HTTP/2 traffic is encrypted). Hadi mentioned Wireshark had support to solve this problem. He made it sound very easy, but since I wrote this article it was a bit harder.
The method I’ll explain to decode HTTP/2 can also be applied to HTTP/1.1

A little warning : my network/security knowledge is a bit rusty since I’m a Java programmer and don’t do this stuff on a daily basis.

This article is written for Mac (Yosemite) and Firefox (42). But with a but of tuning it should work on other Mac version, Linux and Chrome too.

I won’t introduce HTTP/2. There are plenty of good explanations and when you follow all the links at the Sources-section of this article you should have enough information to understand this article.

Make sure you get HTTP/2

Http/2 should be enabled by default, but when you want to disable it (to show the HTTP/1.1 SSL traffic for example) or have to troubleshoot you might have to change things.

Go to about:config in your location bar and search for ‘spdy.enabled’. In my version of Firefox there are 4 settings, which should all be set to true. When you changed a setting you should restart the browser for the settings to become active.

Now enable the network inspector in Firefox ( alt-command-Q ) and enter https://twitter.com in the location bar.
When you click the first entry (something like ‘200 GET / ‘) you should see HTTP/2.0 at the Version field on the right.

This inspector is of course a great way to analyze your traffic, since it’s in the browser you don’t need to worry about ssl decoding. But I wanted more, the raw decoded HTTP/2 packets. And since Hadi Hariri made it sound very easy I gave it a shot.

Capture the traffic

Wireshark can, of course, be used to capture traffic but I used tcpdump. I had some problems with wireshark. A lot of packets were captured, but I couldn’t find the right ones. I think it should be possible with wireshark, but with tcpdump it was a lot easier for me to direct the output to a file and do some pre-filtering on port 443 (the SSL port).

The SSLKEYLOGFILE is an environment variable used by both Chrome and Firefox to write the used keys to disk. These keys are used in Wireshark to decode the traffic (it’s called the NSS Key Log Format)

Make sure the INTERFACE variable is right (run ifconfig and look voor the various devices). If your on both a wire and wifi disable one of them since you’re never sure which device is getting the packets. lo0 can be used for local traffic.

When you’re done close your browser. I’m not exactly sure if this is needed, but it gave me more consistent results.

Now kill the capture process :

kill capture :
kill ${TCPDUMP_PID}

Load your data in Wireshark

There should be a file at /tmp/keylog.txt and /tmp/tcpdump.out. With these two files you can anlyze the traffic.

Now fire up Wireshark (as of version 2.0.0 XQuartz is gone! So make sure you update Wireshark if you already had it installed).

Load the /tmp/tcpdump.out file. All you will see isn’t very understandable. This is because everything is SSL-encrypted. To decrypt this data go to Preferences > Protocols > SSL and browse for the (Pre)-Master-Secret log filename (/tmp/keylog.txt)

When you click OK the traffic should be decoded immediately. Filter on ‘http2’ and you will see all HTTP/2 packets :

When you click on a packet with HEADERS in the info you will be able to view the HTTP/2 headers.

That’s it, this is how you decode HTTP/2 traffic. This method also applies for HTTP/1.1

Notes

Note that if you don’t see all traffic this might be due to the fact that a lot of traffic is QUIC-traffic, to see all HTTP/2 traffic you should disable QUIC. In Google Chrome this can be done at chrome://flags and search for QUIC.